Monthly Archives: June 2006

“The Bush Administration is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication.” – http://www.securityfocus.com/brief/239

45 days. Man, I hope they’ve already started, because 45 days to analyse the field, pick a vendor, test proof of concept, agree on licences, buy the software, deploy a pilot, train staff, and roll out to everyone without making day one into a mass “hey, guys, I forgot my password, can you decrypt me?” phone-tag game – wow, that’s tight.

Like I say, I hope they’ve already started – and quite frankly, I already hoped they’d already started, because to not do so… that’s crazy.

Of course, the other tack to take – at the same time, I hope, is to stop storing the damn data on the portable devices. Wherever possible, those laptops (and other portable data storage devices, let’s not forget thumb drives) need to have nothing more damning on them than a copy of Windows (or, I don’t know, Fisher Price’s “My Little Sony”, whatever you other people use), and the VPN client to connect back to the home base. Sure, sometimes, you have to carry data around with you, but good luck getting approval to do so, or avoiding a tongue-lashing if you’re found to have that data on your laptop without significant reason to do so.

I’m not going to. It’s an article you shouldn’t read, because you’re not going to use the right terms for the right things, and when you go asking for help from networking experts, they’ll look at you in much the same way as security experts look at Steve Gibson. [The look is “how the hell do you get anything done, knowing so little about the field?”]

I’ve met Larry, and he’s a nice guy, so I really thought twice about making this post – and I apologise if I hurt Larry’s feelings by saying it… but I have been on a fifteen-year march to persuade people to stop writing crap networking apps, by getting them to understand what they’re doing, and I can’t stop now.

Finally, in the case that perhaps I don’t have it correct, I’m going to retro-edit it if mistakes are pointed out, because the worst thing you can do is have someone search for the answer, and the first text they come back with is wrong.

But consider that this will effectively scan and read any print that is visible anywhere, and you realise that this device is a handy little DRM beater.

Mind you, so is a digital camera with good resolution – or a non-digital camera, for that matter.

Or a person with a notepad and pen.

Once again, this just underlines that DRM is workable only in the situation where you have extra, non-technological controls over the people with whom you share the DRM-protected material.

DRM is nothing more than a reminder to honest participants that they should not be passing copies around.

It is sad that many in the publishing industry are convinced that it is a panacea, and will prevent copyright infringement. The pirates simply continue to copy the bits (DVDs have DRM, but if you simply copy the bits exactly, the DVD created plays without complaint), and it's only those people that want to move content to different devices (i.e. non-DVD storage, such as a laptop hard-drive, for power-friendly viewing) that are prevented from doing so.

What do you call a "security measure" that has no effect on security, but substantially reduces usefulness for people who are legitimate users?

Short for “Admin Here”, I’ve been enjoying this little one-line batch script:

@runas /u:%1 “cmd /k cd /d %cd%”

What’s it do?

First, it’s important to note that it takes a parameter, the username that you want to run as.

It’ll open up a new CMD window – a command prompt window – in the directory that you’re currently in. This prevents you from arriving in the C:\Windows\System32 directory every time you realise that you need an administrator account to run a few commands.

ADFILE.BAT

Short for “Admin File”, here’s the obvious next step:

@runas /u:%1 “cmd /c cd /d %cd% & start %2″

Takes two parameters, the first being the user you want to runas, and the second being the file you want to run / open.

Enjoy.

[Of course, you may want to hard-code the admin user name into the batch file. Be my guest]

[Update 7/7 – added the “/d” parameter, so you can “ADHERE” and “ADFILE” from directories on other drives.]

I’m frequently here blogging about biometrics and accessibility – too many biometric methods get confused when you don’t have the credential. Aniridia means you don’t have an iris, a lack of thumbs (congenital or accident-induced) means you don’t have a thumbprint.

Here’s another biometric that’s going to cause problems, and I may have blogged about it before – prosopagnosia. Yeah, it’s a long word, and difficult to type, so I’ll use the common abbreviation, “proso“.

I have a relatively mild, but noticeable, case of proso. I’ll tell a little story about myself, but first there’s a great, short, article in yesterday’s Boston Globe. Read it – I’ll wait.

Okay, so here’s the story of the Starbucks Trinity.

Back when I was a stay-at-home dad, I would frequently trip off to Starbucks, for a drink and a chat, and to work on my laptop away from the Internet and phones.

One of the barristas there was studying Networking at the local college, so I’d chat with her every now and again, but her behaviour confused me – about two times out of three, she’d look at me like I was talking Greek.

After several weeks of this behaviour, I found out why – of course, you’ve guessed by now – they were three different women, each of different heights, weights, and hair colours. But because they all had long hair and wore glasses, I lumped them all in as the same person. This wasn’t a case of simply not bothering to look and pay attention – this (or one of these) was a person with whom I was talking about my field of interest.

One thing I take from the Boston Globe article is that this is more common than previously thought – to some extent maybe up to 1 in 50 people has this condition.

So, when you consider the “biometric” schemes that offer a pile of faces to choose from, and the user has to select the same person every time, bear in mind that one in 50 people will have trouble with that.

Okay, so I’m really talking about the TechEd keynotes here, not sessions on zero-day attacks. The keynotes were on the day before the first day, hence “zero day”.

While I didn’t recognise the actress that they dragged out to impress us, because I never watched “24”, she was far nicer eye-candy than the MS execs, so I guess that MS got their money’s worth.

My big complaint – a company that has repeatedly expressed concern over staff turnover, is asking us to believe that they can advise us, their customers, how to be “people ready”? I’m not sure I can get behind that.

That, and they had the guy from Groove, Ray Ozzie, stand up and give us a twenty minute talk about his history prior to Microsoft, and telling us that his staff has used Groove to improve medical conditions in a remote region of Afghanistan. All good stuff, but I still have no over-arching view of what Groove does.

Some day, I think Microsoft ought to put up a list of all of their products, and a single paragraph that explains what the product does. Something like this:

Steve Riley and Jesper Johannson each have fan clubs at the Tech-Ed communications page. I’d link, but you have to have a TechEd registration to see it. Steve’s fan club has 10 members, Jesper’s has 7 – but we actually count Steve at 9, because he has joined his own fan club.

Those of us who know Steve are unsurprised by this.

Jesper has an edge, though, since his photo is feature in the slide-show they’re presenting prior to the keynote.